Artificial intelligence company Anthropic PBC today provided details of what it says is the first reported “AI-orchestrated cyber espionage campaign.”

The campaign involved alleged Chinese state-sponsored hackers using Anthropic’s Claude model to automate major portions of a cyber espionage campaign targeting dozens of global organizations. The company says the attackers orchestrated reconnaissance, exploit development and data exfiltration with minimal human involvement, marking one of the clearest examples yet of an AI agent operating as the core engine of an intrusion.

The campaign targeted about 30 organizations across technology, finance, chemicals and the public sector, though only a small number of intrusions succeeded. Campaigns targeting companies are a dime a dozen, but the interesting part is how the attacks were carried out.

The threat actor used Claude and Claude Code to handle 80% to 90% of the operational workflow, including scanning networks, generating exploit code, crawling internal systems and packaging stolen data. Human operators provided strategic oversight, but most hands-on activity ran through automated AI loops.

The attackers bypassed safeguards in the Claude AI model by framing their prompts as penetration-testing tasks and breaking malicious instructions into smaller subtasks that appeared benign. Anthropic says the actor effectively “social-engineered” the system’s guardrails, enabling automated progression through each phase of the intrusion.

The company did not identify the victims but said the activity aligns with a “well-resourced, state-sponsored group” operating out of China.

Anthropic detected the activity in mid-September and once detected, immediately suspended the associated accounts and deployed new classifiers and monitoring systems designed to detect similar patterns of misuse.

The company has also published a detailed report describing how the operation unfolded and why AI-driven threats represent a growing challenge for defenders. Often, tasks that once required teams of human operators can now be executed in minutes by an AI agent capable of looping through instructions, evaluating output and deciding the next step.

“The barriers to performing sophisticated cyberattacks have dropped substantially and we predict that they’ll continue to do so,” Anthropic wrote. “With the correct setup, threat actors can now use agentic AI systems for extended periods to do the work of entire teams of experienced hackers: analyzing target systems, producing exploit code and scanning vast datasets of stolen information more efficiently than any human operator.”

The company also noted that the campaign marks a fundamental change in cybersecurity and is advising security teams to experiment with applying AI for defense in areas like Security Operations Center automation, threat detection, vulnerability assessment, and incident response.

“We also advise developers to continue to invest in safeguards across their AI platforms, to prevent adversarial misuse,” added Anthropic. “The techniques described above will doubtless be used by many more attackers, which makes industry threat sharing, improved detection methods and stronger safety controls all the more critical.”

Image: SiliconANGLE/Ideogram